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Google throws 'kill switch 1 on Android 
phones 

Automatically deletes more than m a Iwa re-infected apps downloaded by 
users 

By Grecjg Keizer 

March 7. 2011 02:24 PM ET C^3 Comments i[19) ✓ Recommended [41) H Like 4l4Q 



Computerworld - For only the second time, Google last weekend remotely 
deleted Android apps from users' phones. 

Google made the move to erase ma Iwa re-infected applications that users had 
downloaded from the Android Market, the company's official e-store. 

Last Wednesday, Google removed more than 50 infected apps published by 
three different developers from its marketplace, but didn't trigger automatic 
uninstalls until several days later. 

In many cases, the malicious apps were bogus versions of legitimate 
programs that had been recompiled to include malware, or as a Symantec 
researcher said last week, "Trojanized." 
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According to San Francisco-based smartphone 
security firm Lookout, between 50,000 and 200,000 
copies of the apps were downloaded by users 
before Google yanked them from the Android 
Market. 



Chris Di Bona from Google, November 2011: 



"virus companies are playing on your fears to try to sell you bs protection 
software for Android, RIM and IOS. They are charlatans and scammers. IF 
you work for a company selling virus protection for android, rim or IOS 

you should be ashamed of yourself." 

"The barriers to spreading such a program from phone to phone are large 
and difficult enough to traverse when you have legitimate access to the 

phone, but this isn't independence day, a virus that might work on 

one device won't magically spread to the other." 

All the major vendors have app markets, and all the major vendors have 
apps that do bad things, are discovered, and are dropped from the 
markets. 
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Go gle Google Mobile Blog 

News and notes from the Google Mobile team 




Android and Security 

Thursday, February 2, 2012 1 12:03 PlUl 

By Hiroshi Lockheimer. VP of Engineering, Android 

The last year has been a phenomenal one for the Android ecosystem, Device activations 
grew 250% yea r-on -year, and the total number of app downloads from Android Market 
topped 11 billion. As the platform continues to grow, we're focused on bringing you the best 
new features and innovations - including in security. 

Adding a new layer to Android security 

Today we're revealing a service we've developed, code named Bouncer, which provides 
automated scanning of Android Market for potentially malicious software without disrupting 
the user experience of Android Market or requiring developers to go through an application 
approval process. 

The service performs a set of analyses on new applications, applications already in Android 
Market, and developer accounts, Here's how it works, once an application is uploaded, the 
service immediately starts analyzing it for known malware. spyware and trojans. It also looks 
for behaviors that indicate an application might be misbehaving, and compares it against 
previously analyzed apps to detect possible red flags. We actually run every application on 
Google's cloud infrastructure and simulate how it will run on an Android device to look for 
hidden , malicious behavior. We also analyze new developer accounts to help prevent 
malicious and repeat-offending developers from coming back. 

Android malware downloads are decreasing 

The service has been looking for malicious apps in Market for a while now, and between the 
first and second halves of 2011 . we saw a 40% decrease in the number of potentially- 
malicious downloads from Android Market. This drop occurred at the same time that 
companies who market and sell anti -malware and security software have been reporting that 
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We've r epo r tec previously that malicious apps were discovered in die official Android app store, which is now known 
as Google Play, While those reported apps were removed, more malicious apps have been seen in the official 
marketplace and appear to be still victimizing users. This is just one of the important reasons why we feel that a 
technology like our T r end Mic r o Mobi e App Reputation is crucial in users' overall mobile experience and security. 

In total, we have discovered 17 malicious mobile apps still freely downloadable from Google Play. 10 apps using 
AlrPusf} to potentially deliver annoying and obtrusive ads to users and 6 apps that contain Plankton malware code. 
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Sends out GPS location. SMS and 
call log 
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com . anion io.smiley, free 


Antonio 
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Connects to C&C server and waits 
for the command 




com.antonio. wardrobe.apps . lite 
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Connects to C&C server and waits 
for the command 




com . ch ristmasganne . bal loon 

I 


Ogre Games 

I 


Connects to C&C server and waits 
for the command 
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Macte! Labs 


Connects to C&C server and waits 
for the command 
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com.macte. JigsawPuzzle.Hi lis 


Macte! Labs 


Connects to C&C server and waits 
for the command 




com . macte. JigsawPuzzIe. Food 


Macte! Labs 


Connects to C&C server and waits 
for the command 
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Crisver 


Pushes applications and 
advertisements to user 


NFL Puzzle Game 


com . bestpuzzlesgames . nfl 


Crisver 


Pushes applications and 
advertisements to user 
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Pushes applications and 
advertisements lo user 
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Macte! Labs 


Pushes applications and 
advertisements to user 



Android Malware 




http://blog.trendmicroxom/how-big-will-the-android-malware-threat-be-in-2012/ 



Where's the challenge? 




The Inside of an APK File 



• AndroidManifest.xml contains 
the meta information; 

- Package name & version 

- Activities 

- Services 

• classes.dex contains all the 
code for Dalvik Virtual Machir 

• META-INF/ contains the 
certificate and signature. 
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APK are signed zip files 
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The Android Man if est File 
Google's Binary xml File 

• Format is not documented 

• Tools for reading Binary xml files are readily 

available 

• Tools for writing Binary xml files are limited 



The Dex File 

Dalvik Executable Format 

• Format is well documented 

• Many modification tools available 

- asmdex 

- smali/baksmali 

- Dexmaker 

• APKs can only use 1 6 to 32MB of memory so a 
separate Dalvik VM should be started 



MICRO 



The META-INF/ Folder 

Certificate & Signature 

• Format is well documented 

• Many creation tools available 

• jarsigner from JDK 

• signapk from Android Source 

• Minor modifications must be done to run on 
an Android device 



Infection Demonstration 




Architecture of the Virus 



The "Loader" of the Virus 

• Extract & load Part B 

• Initiate Part B 



The "Payload" of the Virus 

Locate uninfected APK file 
Inject Part A into classes.dex and 
AndroidMainfest.xml 

• Copy itself to the APK file 

• Sign the APK file 

Prompt the User to install the APK file 



Infection Cycle 
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Thank You! 



Feel free to contact me anytime at 
bob_pan@trendmicro.com.cn 



